The Antisec wing of Anonymous revealed on Saturday that it had compromised the …

The Antisec wing of Anonymous revealed on Saturday that it had compromised the servers of the private intelligence firm Strategic Forecasting Inc.—allegedly seizing millions of internal documents and thousands of credit card numbers from the company, more commonly known as Stratfor.

That would be a major breach of private information from any firm. But this hack could prove particularly significant, because Stratfor serves as an information-gathering resource and open source intelligence analysis for both the US military and for major corporations.

Antisec breached Stratfor's networks several weeks ago, according to sources within the group that attacked the firm. On Saturday, Antisec began posting credit card details of a few Stratfor customers on Internet Relay Chat. But that's just the start of a much larger data dump, the group claims. Anonymous is planning to release much more information—up to 200GB worth, in parts throughout the week leading up to New Year's Eve. That trove allegedly includes 860,000 usernames, e-mails, and md5-hashed passwords; data from 75,000 credit cards, including security codes used for no-card-present transactions; and over 2.5 million Stratfor e-mails, internal Stratfor documents from the company's intranet, and support tickets from it.stratfor.com.

"Four servers were rooted and wiped," said one participant in the attack, "Charred like ashes, just like what we plan on doing with their old crumbling world."

Stratfor's website is currently down. But on its Facebook page, the company admitted that "an unauthorized party disclosed personally identifiable information and related credit card data of some of our members. We have reason to believe that your personal and credit card data could have been included in the information that was illegally obtained and disclosed."

"We have also retained the services of a leading identity theft protection and monitoring service on behalf of the Stratfor members that have been impacted by these events," the firm added.

According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies.

The first information to be released was a client list culled from Stratfor's report subscribers, showing self reported employment data. Next was over 30,000 credit cards, accompanied by the announcement that they'd been used to "expropriate" money from banks for charities via small dollar donations. Anonymous participants estimated they had donated between $500,000 and $1,000,000 to charities fraudulently. They released screenshots of some of the charges, including to the Red Cross, Care, which fights poverty around the world, and the EFF. While there's no sign the cards have been used for personal gain, the op's participants were unconcerned for the possibility that the charities themselves could be harmed. Said one: "I understood that that was could be a procedural consequence, but the credit card corporations have a choice, to either bite it themselves (poor them, with all their billion dollar bailouts), punish the client, or worst of all, punish the charities that have had nothing to do with this."

There's real possibility of damage to smaller organizations if the Anonymous donation results in massive chargebacks for fraud. For instance, the Appropriate Infrastructure Development Group (AIDG) which works on access to electricity, sanitation, and clean water tweeted earlier today: "Stratfor Global has us worried. Pls don't donate to AIDG with stolen credit cards, we get hit $35 per fraudulent transaction! #anonymous RT"

A fraudulent Red Cross donation screen captured by Anonymous

According to Antisec participants, Stratfor was targeted because of its client list, which includes major companies and government entities, but also because it was terribly insecure. This may presage the future victims, as the group drifts away from picking targets for their humor value and easy hackability, and towards picking targets in line with their political goals. "We believe police and employees who work for the most significant fortune 500 companies are the most responsible for perpetuating the machinery of capitalism and the state," said one Antisec participant, "That there will be repercussions for when you choose to betray the people and side with the rich ruling classes."

Antisec says that future Lulxmas targets will include law enforcement groups and the companies that supply them.

105 Reader Comments

I personally would like to see these groups target Iran and hack down their repressive government.A Government that tortures people and abuses human rights.And they are stirring up a whole big nest of trouble.All of us reads the News so I need not go on.Just thinking they would be a good target for the hackers of the whole world.

Wow, $35 per fraudulent transaction. Methinks Stratfor should be on the line for the bills since they stored security codes of their customers. We need some laws yesterday making corporations fiscally accountable for data breaches which result in obtaining personal information that shouldn't have been there in the first place.

I don't care how many people believe Anonymous (and Antisec) is evil, that's one hell of a kind act.

How do you figure? It doesn't take much kindness at all to donate a whole bunch of other people's money. Particularly considering that there are negative consequences for that, that happen to fall on the people you say you are trying to be kind to.

Anonymous participants estimated they had donated between $500,000 and $1,000,000 to charities fraudulently.

Kicked a huggge company and donated a cool mil to charity...

I dont care if they kicked a puppy AND kitten... these guys are heroes!

Heroes my ass. Heroes would do something like cure cancer, rid the world of radical religion, elimintate terrorism, get rid of world hunger.

Instead they are targeting people and companies that have jobs to do (be it not if you like what they do or not), then stealing money and giving to charitable agencies that are going to have to give the money back.

Heroes? More like anarchists.

Tell you what, I'll hack someplace that has your data, and then use some of your money to give to the NRA to support my rights.

Is there some point at which storing sensitive data in plain text format can be considered criminally negligent?

Criminal negligence usually has to have possibility of injury or death, or at least damage to property, as a possible result. This probably would remain in the realm of civil liability, which is probably better anyways, as the burden of proof is lower.

Is there some point at which storing sensitive data in plain text format can be considered criminally negligent?

I agree with this, however it seems that it would be at least a little bit of work to secure the data. If you hash it, it is only useful for checking I think. If you encrypt it, you need to do a song and dance with encryption servers since you can't store your encryption and decryption keys with the application (which they should do). The CCV code is an egregious error which they can hopefully be sued for. Regardless, it seems they were not complying with PCI compliance for security.

How can people support this? I don't know much about this intelligence company but a quick google search makes them seem like a fairly unbiased company that does work for everyone from the FBI to major companies to newspapers. So they were targeted because of a few of their clientele? What's next my local bar because a few cops get drinks there after their shift? Also this is going to cost these charities money and they aren't going to see a penny of what was "donated".

Stories like this really push me towards changing my major over to computer science...a little late now though. It's one thing when China hacks us, but these fools are damaging other people's livelihoods for misguided political gain. Worse, people cheer it on because it hurt an 'evil' corporation. Pathetic.

How can people support this? I don't know much about this intelligence company but a quick google search makes them seem like a fairly unbiased company that does work for everyone from the FBI to major companies to newspapers. So they were targeted because of a few of their clientele? What's next my local bar because a few cops get drinks there after their shift? Also this is going to cost these charities money and they aren't going to see a penny of what was "donated".

Well, I'm a contractor myself. I'm a security consultant... Security Through Absurdity Enterprise Services. And speaking as a contractor, I can say that a contractor's personal politics come heavily into play when choosing jobs. Three months ago I was offered a job down in the valley. A beautiful data center with tons of servers. It was a simple security update and transition job, but I was told that if it was finished within a day, my price would be doubled. Then I realized whose data center it was. Aaron Barr's. The money was right, but the risk was too big. I knew who he was, and based on that, I passed the job on to a friend of mine. And that week, those Anonymous guys put a hit on Barr's servers. My friend's laptop was hacked and shorted out. He wasn't even finished with the update. My laptop and reputation are alive because I knew there were risks involved taking on that particular client. My friend wasn't so lucky. You know, any contractor willing to work on that Death Star knew the risks. If they were killed, it was their own fault. A techie listens to this... his heart... not his wallet

"According to Antisec, Stratfor was using the e-commerce suite Ubercart to handle customer information. The software has built-in encryption, but Stratfor apparently used custom modules that stored customer data in cleartext. Additionally, Stratfor appears to have stored the card security code of its customers, a practice generally prohibited by credit card companies."

Anonymous participants estimated they had donated between $500,000 and $1,000,000 to charities fraudulently.

Kicked a huggge company and donated a cool mil to charity...

I dont care if they kicked a puppy AND kitten... these guys are heroes!

I doubt you would think it so heroic, were it your pocket being picked.

Heck, you can use that argument for even when Sony was hacked... or any deserving company.

(BTW, we support those hacks as well)

Maybe you'd like to support me getting the $1000 back that was fraudulently donated to two particularly fine charities this past September. I'm not a rich corporation. I'm just a lower middle class guy who i guess irrationally believes that when i give my numbers to a service provider it will be safe from assholes like you.

Heroes? Did you miss the part of the article in which these charities get hit with $35 charges for fraudulent transactions? They are hurting charities, not helping. And you call them heroes. Wow.

I think he missed the part about the "donations" being stolen from the customers, not the corporation, but that's not surprising because like most anti-capitalists he is extremely lazy and believes somebody else should read and comprehend the article summary on his behalf.

I'm just a lower middle class guy who i guess irrationally believes that when i give my numbers to a service provider it will be safe from assholes like you.

Well you're right about the irrational part. The only reason CC information has any semblance of security attached to it is because the CC companies will yank the ability to complete any transaction if a company doesn't comply with their standards (and the reason for those standard has to do with regulations if memory serves). And a good many licensee companies try to cut corners on compliance as much as they can. Like those subway franchises a week ago who actually went out of their way to make their POS systems less secure.

Dante: All right, so even if independent contractors are working on the Death Star, why are you uneasy with its destruction?Randal: All those innocent contractors hired to do a job were killed- casualties of a war they had nothing to do with. (notices Dante's confusion) All right, look-you're a roofer, and some juicy government contract comes your way; you got the wife and kids and the two-story in suburbia-this is a government contract, which means all sorts of benefits. All of a sudden these left-wing militants blast you with lasers and wipe out everyone within a three-mile radius. You didn't ask for that. You have no personal politics. You're just trying to scrape out a living.(The Blue-Collar Man (Thomas Burke) joins them.)Blue-Collar Man: Excuse me. I don't mean to interrupt, but what were you talking about?Randal: The ending of Return of the Jedi.Dante: My friend is trying to convince me that any contractors working on the uncompleted Death Star were innocent victims when the space station was destroyed by the rebels.Blue-Collar Man: Well, I'm a contractor myself. I'm a roofer... (digs into pocket and produces business card) Dunn and Reddy Home Improvements. And speaking as a roofer, I can say that a roofer's personal politics come heavily into play when choosing jobs.Randal: Like when?Blue-Collar Man: Three months ago I was offered a job up in the hills. A beautiful house with tons of property. It was a simple reshingling job, but I was told that if it was finished within a day, my price would be doubled. Then I realized whose house it was.Dante: Whose house was it?Blue-Collar Man: Dominick Bambino's.Randal: "Babyface" Bambino? The gangster?Blue-Collar Man: The same. The money was right, but the risk was too big. I knew who he was, and based on that, I passed the job on to a friend of mine.Dante: Based on personal politics.Blue-Collar Man: Right. And that week, the Foresci family put a hit on Babyface's house. My friend was shot and killed. He wasn't even finished shingling.Randal: No way!Blue-Collar Man: (paying for coffee) I'm alive because I knew there were risks involved taking on that particular client. My friend wasn't so lucky. (pauses to reflect) You know, any contractor willing to work on that Death Star knew the risks. If they were killed, it was their own fault. A roofer listens to this... (taps his heart) not his wallet.

Heroes my ass. Heroes would do something like cure cancer, rid the world of radical religion, elimintate terrorism, get rid of world hunger.

You're thinking of 'miracle workers' there. With natural means, you can achieve 2/4 of those goals, but they would take quite a lot of effort to do.

Evil_Merlin wrote:

Instead they are targeting people and companies that have jobs to do (be it not if you like what they do or not), then stealing money and giving to charitable agencies that are going to have to give the money back.

Heroes? More like anarchists.

Tell you what, I'll hack someplace that has your data, and then use some of your money to give to the NRA to support my rights.

They're stealing from the rich (companies) and giving to the poor. I assume that you're not familiar with the tale of Robin Hood?

Heroes my ass. Heroes would do something like cure cancer, rid the world of radical religion, elimintate terrorism, get rid of world hunger.

You're thinking of 'miracle workers' there. With natural means, you can achieve 2/4 of those goals, but they would take quite a lot of effort to do.

Evil_Merlin wrote:

Instead they are targeting people and companies that have jobs to do (be it not if you like what they do or not), then stealing money and giving to charitable agencies that are going to have to give the money back.

Heroes? More like anarchists.

Tell you what, I'll hack someplace that has your data, and then use some of your money to give to the NRA to support my rights.

They're stealing from the rich (companies) and giving to the poor. I assume that you're not familiar with the tale of Robin Hood?

Robin Hood stole from the rich and gave to the poor.

Anonymous stole from random credit cards belonging to people who may or may not be rich, and donated it to charity. Rich are still rich. Poor are still poor.

They're stealing from the rich (companies) and giving to the poor. I assume that you're not familiar with the tale of Robin Hood?

I guess you don't know the real story behind Robin Hood... The fact was he didn't steal from the rich and give to the poor till the modern era, in historical context he was a criminal, in fact a murderer that simply got sympathy from SOME of the common folk. But thats neither here nor there. Its clear you missed the fact that once the credit card or account owners contact the banks they use and contest the charges in question, the charitable agencies will actually lose money. And it could be a LOT of money.

So are you saying its OK to steal from rich companies just because they are doing well and give to the poor just because they are doing worse?

I'm just a lower middle class guy who i guess irrationally believes that when i give my numbers to a service provider it will be safe from assholes like you.

Well you're right about the irrational part. The only reason CC information has any semblance of security attached to it is because the CC companies will yank the ability to complete any transaction if a company doesn't comply with their standards (and the reason for those standard has to do with regulations if memory serves). And a good many licensee companies try to cut corners on compliance as much as they can. Like those subway franchises a week ago who actually went out of their way to make their POS systems less secure.

I read about that. It made me think that maybe I should keep a handful of prepaid visas for downloads and lunch. It also made me think about fire bombing Subway, but that's just more of my irrational thinking.

They're stealing from the rich (companies) and giving to the poor. I assume that you're not familiar with the tale of Robin Hood?

They're stealing from Stratfor's *customers*, many of whom are not rich. Even if they were stealing only from the rich, there's a possibility that Robin Hood's actions are only clearly justifiable within a certain historical and political context.

They're stealing from the rich (companies) and giving to the poor. I assume that you're not familiar with the tale of Robin Hood?

Read the article again. The "poor" (charities) are getting hit with fraudulent transaction fees. That's $35 a transaction. It sounds more like they're stealing from the poor and giving to the rich (banks).

Are these guys actually employed by the banks? I can't decide if they're idiots or in cahoots with the banks.

Heroes? Did you miss the part of the article in which these charities get hit with $35 charges for fraudulent transactions? They are hurting charities, not helping. And you call them heroes. Wow.

I think he missed the part about the "donations" being stolen from the customers, not the corporation, but that's not surprising because like most anti-capitalists he is extremely lazy and believes somebody else should read and comprehend the article summary on his behalf.

My card/s were used without my authorization for pretty large sums of money, almost maxing them out. The credit card holders are usually covered for these transactions and I was just as I these customers will be (one of the good things about using plastic).

As for Visa/MC losing a billion or two every year on these shenanigans, kindly send me a Christmas card reminding me to feel sorry for them.

All of this amused me more when it was primarily about causing chaos and not hacktivism. The charities will lose out anyway so giving it to them is pointless. Why not use that money on some million dollar freakout of the public? A millions bucks buys a lot of crazy.

Anonymous participants estimated they had donated between $500,000 and $1,000,000 to charities fraudulently.

Kicked a huggge company and donated a cool mil to charity...

I dont care if they kicked a puppy AND kitten... these guys are heroes!

I doubt you would think it so heroic, were it your pocket being picked.

So, at worst they donated $1,000,000 from 30,000 credit cards, at an average of $33 stolen from each card. Now granted, I'd rather make my own choice about how and who to donate my money to, but... yeah, completely wouldn't care.

Evil_Merlin wrote:

Tell you what, I'll hack someplace that has your data, and then use some of your money to give to the NRA to support my rights.